This detection rule is designed to identify file deletion activities on Windows systems, particularly those associated with intrusions where adversaries attempt to clean up artifacts and traces of their presence. The rule leverages EDR logs from CrowdStrike to pinpoint instances where specific commands (`Remove-Item`, `del`, or `rmdir`) are executed within a two-hour window. These commands are commonly used in PowerShell and the command prompt to remove files or directories. As part of the defense evasion tactic identified by MITRE ATT&CK Technique T1070.004, this behavior often indicates an attempt to obscure malicious actions and maintain unauthorized access without detection. By filtering for processes that have been registered with executed file deletion commands, this rule aims to enhance threat detection efforts and improve visibility over potentially malicious file activity within the network. The references provided also point to related atomic tests that validate the rule’s effectiveness against known deletion techniques.